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(57) ABSTRACT 

Mechanisms for reducing the number of block masks 
required for programming multiple access control lists in an 
associative memoiy are disclosed. A combined ordering of 
masks corresponding to multiple access control lists (ACLs) 
is typically identified, with the multiple ACLs including n 
ACLs. An n-dimensional array is generated, wherein each 
axis of the n-dimensional array corresponds to masks in their 
requisite order of a different one of the multiple ACLs. The 
n-dimensional array progressively identifies numbers of 
different masks required for subset orderings of masks 
required for subsets of the multiple ACLs. The n-dimen- 
sional array is traversed to identify a sequence of masks 
corresponding to a single ordering of masks including masks 
required for each of the multiple ACLs. 



30 Claims, 16 Drawing Sheets 
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REDUCING THE NUMBER OF BLOCK 
MOUSES REQUIRED FOR PROGRAMMING 
MULTIPLE ACCESS C ONTRO ITuST^N AN 
< ASSOCIATIVE IVlEMCHtV 

TECHNICAL FIELD 

One embodiment of the invention relates to communica- 
tions and computer systems, especially networked routers, 
packet switching systems, and other devices using associa- 
tive memories (e.g., content-addressable memories); and 
more particularly, one embodiment relates to reducing the 
number ol block masks required for programming multiple 
access control lists in an associative memory. 

BACKGROUND 

The communications industry is rapidly changing to 
adjust to emerging technologies and ever increasing cus- 
tomer demand. This customer demand for new applications 
and increased performance of existing applications is driv- 
ing communications network and system providers to 
employ networks and systems having greater speed and 
capacity (e.g., greater bandwidth). In trying to achieve these 
goals, a conuuon approach taken by many communications 
providers is to use packet switching technology. Increas- 
ingly, public and private communications networks are 
being built and expanded using various packet technologies, 
such as Internet Protocol (IP). 

network device, such as a switch or router, typically 
receives, processes, and forwards or discards a packet based 
on one or more criteria, including the type of protocol used 
by the packet, addresses of the packet (e.g., source, desti- 
nation, group), and type or quality of service requested. 
■Additionally, one or more security operations are typically 
performed on each packet. But before these operations can 
be performed, a packet classification operation must typi- 
cally be perfomied on the packet. 

Packet classification as required for, inter alia, access 
control lists (.ACLs) and forwarding decisions, is a demand- 
ing part of switch and router design. ITie packet classifica- 
tion of a received packet is increasingly becoming more 
dillicull due to ever increasing packet rates and number of 
packet chissifications. For example, ACI.s typically require 
matching packets on a subset of fields of the packet header 
or flow label, with the semantics of a sequential search 
through the ACL ntles. 

.Access control and quality of service features arc typi- 
cally implemented based on programming contained in one 
or more .ACLs. To implement features in hardware, these 
multiple ACL lists arc typically combined into one list, 
which ciin be used for programming and associative 
memory. Various techniques are known for combining these 
items, such as Binary Decision Diagram (BDD) and Order 
Dependent Merge (ODM). For example, if there are two 
ACLs .A (having entries A1 and A2) and B (having entries 
B1 and B2, then ODM combines these original lists to 
produce ttne of two cross-product equivalent ordered lists, 
each with four entries: AlBl, A1B2, .A2B1, and A2B2; or 
.A 1 B 1 , .A2B 1 , A 1 B2, and A2B2. These four entries can then 
be progniimued into an associative memory and an indica- 
tion of a corresponding action to be taken placed in an 
adjunct memory. Lookup operations can then be performed 
on the associative and adjunct memories to identify a 
corresponding ticlion to use for a particular packet being 
processed. There are also variants of ODM and BDD which 
may filter out the entries which are unnecessary as their 
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values will never allow them to be matched. Merged entries 
which are order independent can be sorted based on com- 
mon masks, and programmed into the block masks of an 
associative memory (which typically does not significantly 
5 reduce the number of block masks required), or can be 
programmed in any order in an associative memory where 
each entry has its own mask field. Nonconsecutive merged 
entries which remain order dependent must maintain their 
ordering when programmed into an associative memory, and 
to thus cannot be rearranged to reduce or eliminate redundant 
masks when entries are masked using block masks. Also, 
one or more of these techniques may produce an increased 
number of entries and/or block masks required for program- 
ming the resultant entries into an associative memory. 

15 An example of an associative memoiy using block masks 
is described in Ross et al., “Block Mask Ternary CAM”, 
U.S. Pat. No. 6,389,506, issued May 12, 2002, which is 
hereby incorporated by reference. In a nutshell, a block 
mask is a mask that is applied to each entry of a block of 
20 entries. Such an associative memory typically has numerous 
blocks and corresponding block masks. FIG. l.A shows one 
such prior art associative memory 100, having multiple 
blocks 110, 120, and 130, each with corresponding block 
masks 111, 121, and 131 for blocks of associative memory 
25 entries 112, 122, and 132. 

FIG. IB illustrates a prior art approach for combining 
masks of two ACLs 150 and 152, ^ving masks as shown 
with their corresponding required ordering. The result of a 
first approach for combining these lists is shown in ordering 
30 155, in which entries of ACL-2 152 are concatenated at the 
end of entries of ACL-1 150 to produce an ordering that 
requires m masks, where m is the sum of the number of 
masks required for each of ACLs 150 and 152. The results 
156 and 157 of a second approach is similar, but allows the 
35 mask at the end of a list to be used by both ACLs 150 and 
152 if the last required mask of one ACL is the same mask 
as first required by the other ACL, then the number of masks 
required is m minus a small number of overlapping masks. 
However, this does not significantly reduce the overall 
40 number of masks required, which can be a problem as the 
number of different masks in the required order is directly 
correlated to the number of ACL entries which can be stored 
in a block mask associative memory. Thus, an efficient way 
of allocating these masks is desired 

45 

SUMMARY 

Disclosed are, inter alia, methods, apparatus, data struc- 
tures, computer-readable medium, mechanisms, and means 
50 for reducing the number of block masks required for pro- 
gramming multiple access control lists in an associative 
memory. 

One embodiment identifies a combined ordering of masks 
corresponding to multiple access control lists (ACLs), the 
55 multiple ACLs including n ACLs. A required ordering of 
masks for each of the n ACLs is identified. An n-dimensional 
array is generated, wherein each axis of the n-dimensional 
array corresponds to masks in their requisite order of a 
different one of the multiple ACLs. The n-dimensional array 
60 progressively identifies numbers of different masks required 
for subset orderings of masks required for subsets of the 
multiple ACLs. The n-diraensional array is traversed to 
identify a sequence (e.g., the order or reverse order) of 
masks corresponding to a single ordering of masks including 
65 masks required for each of the multiple ACLs. The single 
ordering of masks maintains the ordering of masks required 
for each of the multiple ACLs with one or more masks 
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corresponding to a difl'erent ACL or other feature in between 
one or more consecutive masks of an ACL of the multiple 
ACLs. 

In one crabodiinenl, a last position identified by a last 
column and last row of the array identifies the number of ^ 
different masks required for the single ordering of masks. In 
one embodiment, the matrix is traversed based on said 
numbers of different masks required for subset orderings of 
masks required for subsets of tire multiple ACLs. One 
embodiment maintains indicalions from where said numbers 
of diflerent masks required for subset orderings of masks 
required for subsets of tlie plurality of ACLs are generated, 
and the ii-dimensional array is traversed based on said 
indications from where said numbers of different masks 15 
required for subset orderings of masks required for subsets 
of the plurality of ACLs are generated One embodiment 
populates multiple block masks of an associative memory 
with said mttsks required for the multiple ACLs such that the 
single ordering of masks is produced in the associative 20 
memory. Rather than combining all n ACLs at a time when 
n is greater than two, one embodiment successively com- 
bines tw'o .\CLs together, then combines that result with a 
next ACL, and so on. 

One embodiment identifies a combined ordering of masks 
corresponding to a first ACL and a second ACL. A first 
ordering of masks required for the first ACL is identified. A 
second ordering of masks required the second ACL is 
identified. A matrix of the first and second orderings of 30 
masks is generated, with the matrix progressively identify- 
ing numbers of different masks required for subset orderings 
of masks required for subsets of the first and second ACLs. 
The matrix is traversed to identify a sequence (e.g., the order 
or reverse order) of masks corresponding to a single order- 35 
ing of masks including masks required for the first ACL and 
the second ACL. Ihe single ordering of masks maintains the 
first ordering and second orderings of masks with one or 
more masks corresponding to a diflerent ACL or other 
feature in berweon one or more consecutive masks of the 
first and second ACLs, 

In one embodiment, a last position identified by a last 
column and last row of the matrix identifies the number of 
difl'erent masks required for the single ordering of masks. In 43 
one embodiment, the matrix is traversed based on said 
numbers of diflerent masks required for subset orderings of 
masks required for subsets of the first and second ACLs. One 
embodiment maintains indicalions from where said numbers 
of diflerent masks required for subset orderings of masks 
required for subsets of the first and second ACLs are 
generated, and the matrix is traversed based on said indica- 
tions from where said numbers of different masks required 
for subset orderings of masks required for subsets of the first 
and second ,'\CLs are generated. One embodiment populates jj 
multiple block masks of an associative memory with said 
masks required for the first and second ACLs such that the 
single ordering of masks is produced in the associative 
memory. 

BRIliF DHSCRIPTION OF THE DRAWINGS 

The appended claims set forth tlie features of the inven- 
tion with particularity. The invention, together with its 
advantages, may be best understood from the following 65 
detailed description taken in conjunction with the accom- 
panying drawings of which; 
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FIGS. lA-B are block diagrams illustrating a prior art 
associative memory with block masks and prior art 
approaches for combining masks from two access control 
lists; 

FIGS. 2A-2D illustrate the generation as performed in one 
embodiment of an array/matrix progressively identifying the 
number of different masks required for subset orderings of 
masks required for subsets of multiple ACLs; 

FIGS. 2E-F illustrate the traversal as performed in one 
embodiment of an array/matrix to identify a mask ordering; 

FIGS. 3A-C illustrate an array/matrix generated and tra- 
versed in one embodiment to identify a mask ordering; 

FIG. 4A is a flow diagram illustrating a process used in 
one embodiment for generating and traversing an array/ 

FIG. 4B is a flow diagram illustrating a process used in 
one embodiment for generating and traversing an array/ 

FIG. 5 illustrates pseudo-code used in one embodiment 

for generating and traversing an arrav/matrix: and 

J FIGS. 6A-C ^ e block diagrams ot various exemplary 
fySiems ihcludlng one or more embodiments for reducing 
the number of block masks required for programming mul- 
tiple access control lists in an associative memory and/or for 
performing lookup operations on the programmed associa- 
tive memories. 






DETAILED DESCRIPTION 

Disclosed are, inter alia, methods, apparatus, data struc- 
tures, computer-readable medium, mechanisms, and means 
for reducing the number of block masks required for pro- 
gramming multiple access control lists in an associative 
memory. 

Embodiments described herein include various elements 
and limitations, with no one clement or limitation contem- 
plated as being a critical element or limitation. Each of the 
claims individually recites an aspect of the invention in its 
entirety. Moreover, some embodiments described may 
include, but are not limited to, inter alia, systems, networks, 
integrated circuit chips, embedded processors, ASICs, meth- 
ods, and computer-readable medium containing instructions. 
One or multiple systems, devices, components, etc. may 
comprise one or more embodiments, which may include 
some elements or limitations of a claim being performed by 
the same or different systems, devices, components, etc. The 
embodiments described hereinafter embody various aspects 
and configurations within the scope and spirit of the inven- 
tion, with the figures illustrating exemplary and non-limiting 
configurations. 

As used herein, the term “packet” refers to packets of all 
types or any other units of information or data, including, but 
not limited to, fixed length cells and variable length packets, 
each of which may or may not be divisible into smaller 
packets or cells. The term “packet” as used herein also refers 
to both the packet itself or a packet indication, such as, but 
not limited to all or part of a packet or packet header, a data 
structure value, pointer or index, or any other part or direct 
or indirect identification of a packet or information associ- 
ated therewith. For example, often times a router operates on 
one or more fields of a packet, especially the header, so the 
body of the packet is often stored in a separate memory 
while the packet header is manipulated, and based on the 
results of the processing of the packet (i.e., the packet header 
in this example), the entire packet is forwarded or dropped, 
etc. Additionally, these packets may contain one or more 
types of information, including, but not limited to, voice, 
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consecutive masks of the first and second ACLs. In one 
embodiment, a last position identified by a last column and 
last row of the matrix identifies the number of different 
masks required for the single ordering of masks. In one 
embodiment, the matrix is traversed based on said numbers 
of difl'erenl masks required for subset orderings of masks 
required for subsets of the first and second ACLs. In one 
embodiment, the matrix is traversed based on said indica- 
tions of where the numbers of different masks are derived. 

One embodiment populates multiple block masks of an t 
associative memory with said masks required for the first 
and second .‘\CLs such that the single ordering of masks is 
produced in the associative memory. 

f inally, in process block 448, the multiple block masks of 
an associative memory are populated with the masks 
required for the multiple ACLs. Processing is complete as 
indicated by process block 450. 

.\nothcr way of viewing the identification of the ordering 
of masks is to define a cost function CostpC, n), where X is 
the .^Cl ,, MAX is the maximum number of value entries 
with each mask entry, 'nius. 




Compute Z. which is an ordering of the aces in X,, 
X, X,„ where 







VAijI- 






such that 




if y-if-v.,, and 
and Cost(Z.n 
Thus, for tw( 
and it reduce 







a,3z/^ where 1 SkS(n,+n2+ . . . +n„,) and 
and j<k then a<b 
Q3+ . . . +n„) is minimal, 
s, m=2 in the above problem statement 




CL 




l or two ACLs, .X , and X^. m=2 and the solution to the above 
recurrence relation V(Xi, X^: x,„^, gives the optimal 
number of masks required. FIG. 5 illustrates pseudo-code 
500 lor generating and traversing a matrix to identify the 
ordering of the masks to use. The process illustrated in 
pseudo-code 400 is a formalization of that previously 
described herein, so this discussion will not be repeated. 
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The time requirement for the algorithm [Min_Masks and 
Find_Optimized_ACL] is 0(mn) where m is the number of 
aces inACL„ and n is the number of aces in ACL^. The space 
requirement is 0(mn). 

This algorithm can be easily extended to more than two 
ACLs as illustrated in the pseudo-code below. Using the 
above approach the time requirement is 0(mjm2m3 . . . m„) 
where ACL„ ha m^ aces, ACL^ has mj aces . , . and ACL„ has 
m„ aces. The space requirement is 0(mjm2 . . , m„). 

Result ^NULL 

for (i=l ; i<no of ACLs; i++) 

Result^{Min_Masks(Result, Acl,); Find_Optimized_A- 
cl(Result, ACL,)}; 

With the above the time requirement is the order of 






which is O(m^) when mi=m2= . . . =m„ and the space 
requirement is 0(nm^). 

FIGS. 6A-F are block diagrams of various exemplary 
systems including one or more embodiments for reducing 
the number of block masks required for programming mul- 
tiple access control lists in an associative memory and/or for 
performing lookup operations on the programmed associa- 
tive memories. First, FIG. 6A illustrates one embodiment of 
a system, which may be part of a router or other commu- 
nications or computer system, for determining a reduced 
number of block masks, for programming coaesponding 
entries and block masks in one or more associative memo- 
ries, and for performing lookup operations to produce results 
which can be used in the processing of packets. In one 
embodiment, control logic 610 determines the required 
ordering of block masks for multiple ACLs and, via signals 
611, programs and updates associative memory or memories 
615. In one embodiment, control logic 610 also programs 
memory 620 via signals 623. In one embodiment, control 
logic 610 includes custom circuitry, such as, but not limited 
to discrete circuitry, ASICs, memory devices, processors, 
etc. 

In one embodiment, packets 601 are received by packet 
processor 605. In addition to other operations (e.g., packet 
routing, security, etc.), packet processor 605 typically gen- 
erates one or more items, including, but not limited to one 
or more packet flow identifiers based on one or more fields 
of one or more of the received packets 601 and possibly 
from information stored in data structures or acquired from 
other sources. Packet processor 605 typically generates a 
lookup value 603 which is provided to control logic 610 for 
providing control and data information to associative 
memory or memories 615, which perform lookup operations 
and generate one or more results 617. In one embodiment, 
a result 617 is used is by memory 620 to produce a result 
625. Control logic 610 then relays result 607, based on result 
617 and/or result 625, to packet processor 605. In response, 
one or more of the received packets are manipulate and 
forwarded by packet processor 605 as indicated by packets 
609. Note, results 617, 625 and 607 may include indications 
of error conditions. 

FIG. 6B illustrates one embodiment of a system, which 
may be part of a router or other communications or computer 
system, for determining a reduced number of block masks, 
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TECHNICAL FIELD 

One embodiment of the invention relates to communications and computer 
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systems, especially networked routers, packet switching systems, and other devices using 
associative memories (e.g„ content-addressable memories); and more particularly, one 
1 0 embodiment relates to reducing the number of block masks required for programming 
multiple access control lists in an associative memory. 



BACKGROUND 

1 5 The communications industry is rapidly changing to adjust to emerging 

technologies and ever increasing customer demand. This customer demand for new 
applications and increased performance of existing applications is driving 
communications network and system providers to employ networks and systems having 
greater speed and capacity (e.g., greater bandwidth). In trying to achieve these goals, a 
20 common approach taken by many communications providers is to use packet switching 
technology. Increasingly, public and private communications networks are being built and 
expanded using various packet technologies, such as Internet Protocol (IP). 

A network device, such as a switch or router, typically receives, processes, and 
forwards or discards a packet based on one or more criteria, including the type of protocol 
25 used by the packet, addresses of the packet (e.g., source, destination, group), and type or 

quality of service requested. Additionally, one or more security operations are typically 
performed on each packet. But before these operations can be performed, a packet 
classification operation must typically be performed on the packet. 

Packet classification as required for, inter alia, access control lists (ACLs) and 
30 forwarding decisions, is a demanding part of switch and router design. The packet 
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BRIEF DESCRIPTION OF THE DRAWINGS 

The appended claims set forth the features of the invention with particularity. The 
invention, together with its advantages, maybe best understood from the following 
detailed description taken in conjunction with the accompanying drawings of which: 

FIGs, 1 A-B are block diagrams illustrating a prior art associative memory with 
block masks and pnor art approaches for combining masks from two access control lists; 

FIGs. 2A-2D illustrate the generation as performed in one embodiment of an 
array/matnx progressively identifying the number of different masks required for subset 
ordenngs of masks required for subsets of multiple ACLs; 

FIGs. 2E-F illustrate the traversal as performed in one embodiment of an 
array/matrix to identify a mask ordering; 

FIGs. 3A-C illustrate an array/matrix generated and traversed in one embodiment 
to identify a mask ordering; 

FIG. 4A is a flow diagram illustrating a process used in one embodiment for 
generating and traversing an array/matrix; 

FIG. 4B IS a flow diagram illustrating a process used in one embodiment for 
generating and traversing an array/matrix; 

FIG. 5 illustrates pseudo-code used in one embodiment for generating and 
traversin g an array/ matrix; and 

^^FlGs, 6A-^ re block diagrams of various exemplary systemsindudi^^ 
more embodiments for reducing the number of block masks required for programming 
multiple access control lists in an associative memory and/or for performing lookup 
operations on the programmed associative memories. 
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One embodiment populates multiple block masks of an associative memory with 
said masks required for the first and second ACLs such that the single ordering of masks 
is produced in the associative memory. 

Finally, in process block 448, the multiple block masks of an associative memory 
5 are populated with the masks required for the multiple ACLs. Processing is complete as 
indicated by process block 450. 
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Another way of viewing the identification of the ordering of masks is to define a 
cost function CostfX. n), where Xis the ACL, MAX is the maximum number of value 
entries with each mask entry. Thus, 

Cost(X,n) = Oif n = 0 

Co5t(^, n-y) + l where x«=x»-i=... = x,-; + ianJo< j<MA^ifn>0 



See ^ 

(.iVus, 



Problem statement; Given the ACLs 

X\ =< X11,;C12,X13 ,Xlni > 



Xl =< X2l,X22,X2i,...,X2ri2 > 
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Xn, =<Xmi,Xm2,Xm2,...,Xmn„> 

Compute 2, which is an ordering of the aces in X], X 2 , ...,X„ where 
^ “ <^‘’ 22 ,...,z(«i + «+ > such that 

y~ ' - «' 3 Zk where 1 ^ < fni + H 2 + ... + rim) and 

20 i 1 x,j = Za and Xik = z* and j <k then a<b 
and Cost(Z,ni+n 2 +ri 3 + is minimal. 



© 

Se^ Q\. II 
( ivls^ m 
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Thus, for two ACLs, m-2 in the above problem statement and it reduces as follows. 



/s(X,m) = 0 if m = 0 

j where Xm = xm-\ - 



\di\<j<MAX 



Ci>i . II 

) 
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V{XJ-.m,n)^ Min(V {X,Y :m- a, n), V(X, Y-.m,n- 6))(+lj«4^ 

» n - y)) + 1 where Xm = yn 



Min 

,i+jiMAX,iiaJSb' 



^ C6\. /(, 



wherea = /.(X.m),6 = /.(7,„) ...Equation 1 

For two ACLs, Xi and X 2 , m=2 and the solution to the above recurrence relation 
y(X,,X^ : ) gives the optimal number of masks required. FIG. 5 illustrates 
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pseudo-code 500 for generating and traversing a matrix to identify the ordering of the 
5 masks to use. The process illustrated in pseudo-code 400 is a formalization of that 
previously described herein, so this discussion will not be repeated. 

The time requirement for the algorithm [Min_Masks and Find_Optimized_ACL] 
IS 0(mn) where m is the number of aces in ACLa and n is the number of aces in ACU. 
The space requirement is 0(mn). 

0 This algorithm can be easily extended to more than two ACLs as illustrated in the 

pseudo-code below. Using the above approach the time requirement is 0(m,m2m3...m^ 
where ACLa ha mi aces, ACLb has m 2 aces ... and ACU has m„ aces. The space 
requirement is 0 (mim 2 ...m^. 



15 Result <= NULL 

for (i=-J; i< no of ACLs; i++) 

Result {Mm^Masks(Resull. AclJ ; Fmd_Oplimized_Acl(Result. ACLd): 

With the above the time requirement is the order of O ("Xto ■ ±m,) which is O (m‘) 

2-1 x-2+1 

when mi=m 2 =... =m„ and the space requirement is 0(nm^). 

20 

FIGs. 6A-F are block diagrams of various exemplary systems including one or 
more embodiments for reducing the number of block masks required for programming 
multiple access control lists in an associative memory and/or for performing lookup 
operations on the programmed associative memories. First, FIG. 6A illustrates one 
25 embodiment of a system, which may be part of a router or other communications or 
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